What is a computer virus?

A computer virus is a small software program that spreads from one

computer to another computer and that interferes with computer operation.
A computer virus may corrupt or delete data on a computer, use an e-mail
program to spread the virus to other computers, or even delete everything
on the hard disk. 

Computer viruses are most easily spread by attachments in e-mail

messages or by instant messaging messages. Therefore, you must never
open an e-mail attachment unless you know who sent the message or
unless you are expecting the e-mail attachment. Computer viruses can be
disguised as attachments of funny images, greeting cards, or audio and
video files. Computer viruses also spread by using downloads on the
Internet. Computer viruses can be hidden in pirated software or in other
files or programs that you may download.

Symptoms of a computer virus

If you suspect or confirm that your computer is infected with a computer
virus, obtain the current antivirus software. The following are some primary
indicators that a computer may be infected:

 The computer runs slower than usual.

 The computer stops responding, or it locks up frequently.
 The computer crashes, and then it restarts every few minutes.
1
  The computer restarts on its own. Additionally, the computer does not
run as usual.
 Applications on the computer do not work correctly.
 Disks or disk drives are inaccessible.
 You cannot print items correctly.
 You see unusual error messages.
 You see distorted menus and dialog boxes.
 There is a double extension on an attachment that you recently
opened, such as a .jpg, .vbs, .gif, or .exe. extension.
 An antivirus program is disabled for no reason. Additionally, the
antivirus program cannot be restarted.
 An antivirus program cannot be installed on the computer, or the
antivirus program will not run.
 New icons appear on the desktop that you did not put there, or the
icons are not associated with any recently installed programs.
 Strange sounds or music plays from the speakers unexpectedly.
 A program disappears from the computer even though you did not
intentionally remove the program.

Note These are common signs of infection. However, these signs may also
be caused by hardware or software problems that have nothing to do with a
computer virus. Unless you run the Microsoft Malicious Software Removal
Tool, and then you install industry-standard, up-to-date antivirus software
on your computer, you cannot be certain whether a computer is infected
with a computer virus or not.

2
 Symptoms of worms and trojan horse viruses in e-mail
messages
When a computer virus infects e-mail messages or infects other files on a
computer, you may notice the following symptoms:

 The infected file may make copies of itself. This behavior may use up
all the free space on the hard disk.
 A copy of the infected file may be sent to all the addresses in an e-
mail address list.
 The computer virus may reformat the hard disk. This behavior will
delete files and programs.
 The computer virus may install hidden programs, such as pirated
software. This pirated software may then be distributed and sold from
the computer.
 The computer virus may reduce security. This could enable intruders
to remotely access the computer or the network.
 You receive an e-mail message that has a strange attachment. When
you open the attachment, dialog boxes appear, or a sudden
degradation in system performance occurs.
 Someone tells you that they have recently received e-mail messages
from you that contained attached files that you did not send. The files
that are attached to the e-mail messages have extensions such as
.exe, .bat, .scr, and .vbs extensions.

3
 Symptoms that may be the result of ordinary Windows
functions
A computer virus infection may cause the following problems:

 Windows does not start even though you have not made any system
changes or even though you have not installed or removed any
programs.
 There is frequent modem activity. If you have an external modem,
you may notice the lights blinking frequently when the modem is not
being used. You may be unknowingly supplying pirated software.
 Windows does not start because certain important system files are
missing. Additionally, you receive an error message that lists the
missing files.
 The computer sometimes starts as expected. However, at other
times, the computer stops responding before the desktop icons and
the taskbar appear.
 The computer runs very slowly. Additionally, the computer takes
longer than expected to start.
 You receive out-of-memory error messages even though the
computer has sufficient RAM.
 New programs are installed incorrectly.
 Windows spontaneously restarts unexpectedly.
 Programs that used to run stop responding frequently. Even if you
remove and reinstall the programs, the issue continues to occur.

4
  A disk utility such as Scandisk reports multiple serious disk errors.
 A partition disappears.
 The computer always stops responding when you try to use Microsoft
Office products.
 You cannot start Windows Task Manager.
 Antivirus software indicates that a computer virus is present.

The popularity of the internet and the steady adoption of always-on

broadband technologies have allowed malicious threats to spread quickly.
Now more than ever, it's important to effectively and efficiently defend
every computer in an organization against Trojans, viruses and worms.

Introduction to malware, trojans, viruses, worms and other

threats
When you know what threats you face, you can determine which proactive
measures to take. During the past decade or so, viruses have become
increasingly sophisticated.
At the same time, the internet's ever-growing popularity and the steady
adoption of always-on broadband technologies have made it possible for
viruses to spread more quickly than has ever been possible in the past.
Now more than ever, it's important to defend every computer in an
organization against viruses in the most effective manner possible.
A virus, at the most basic level, is a small piece of software that causes
unexpected activities or actions on computer systems. A virus is an

5
executable program, often just a script that relies on another application
sure to be running on a computer, like the macro viruses that infect
Microsoft Word. Like a biological virus, a computer virus replicates quickly.
A virus lives to create more viruses, and its secondary purpose is to do
some damage or cause embarrassment.
A virus cannot infect computer data because data files are not executed.
Users sometimes believe that document files carry viruses, but the macro
code hidden inside those files is actually the culprit.

Viruses vary, but almost all have three parts:

 Replicator
The code concerned with replication creates copies of the virus. If the virus
does nothing beyond this, it remains an irritation but does not cause
damage beyond consuming disk space, CPU (central processing unit) time,
and bandwidth.

 Concealer
Concealment promotes the virus from being an irritation to being a real
problem. Viruses that take the trouble to hide generally plan to cause more
damage. Viruses began hiding in boot sectors -- that is, code files that are
activated when the computer starts up -- early in virus history, and this can
cause serious frustration. But viruses also use other tricks, such as
morphing Overwriting and nonoverwriting.

 Payload

6
The payload delivers the pain in a virus to the end user. If the user is lucky,
a message appears, essentially laughing at the user's inability to protect his
or her computer. If the user is unlucky, the viruses causes commands to
execute, files to be trashed, data to be captured and sent to outsiders, or
hard drives to be completely reformatted.

Types of Viruses
 Macro viruses
Most users are wary of unverified and unscreened .doc files because they
can carry viruses. A user doesn't energize a virus by opening and reading
the .doc file but by executing macros included in that file. Macro viruses
take advantage of the fact that Microsoft chose to enhance integration
across its Microsoft Office component applications by creating a method for
Visual Basic routines to execute inside Microsoft Word. Clever corporate
developers weave magical applications that flit in and out of desktop Word
and Excel files while tying them all to large databases. Clever virus
developers follow gleefully behind, tying desktops in knots.
The vast majority of viruses causing corporate grief today are macro
viruses. More than 73,000 viruses have been cataloged, and approximately
99 percent of them derive from one of a few hundred foundation viruses.
The majority of those, 75 percent or more, depending on the reference
source, are macro viruses.
 Polymorphic Virus

7
A polymorphic virus aggravates people until the tracking tools become
refined enough to catch it. Hackers now circulate programming tools that
convert standard viruses into polymorphic viruses.
 Stealth viruses
A sneaky way for a virus to remain undetected is to actually hide where it
exists in your computer memory or on the hard drive. It may do this by
coopting a function, such as examining memory locations or physical
locations on the disk drive. When antivirus programs or other tools search
these locations, the stealth virus redirects them to the original code, which
was copied during the infestation. The original code doesn't have a virus,
so the antivirus software reports that all is well. Still hidden thanks to the
redirection ruse, the stealth virus remains and continues to infest the
computer.
Stealth viruses, which intercept and redirect complete DOS calls to read
the hard drive sectors, must be fairly large. To avoid detection, they report
false file sizes so changes in executable files remain hidden.
 Boot viruses
In today's world of hard disk drive boot processes, the MBR (master boot
record) is a target for virus writers. Because a boot virus grabs control of
the system early in the boot process, it can do great damage and remain
hidden.
Any disruption of the MBR turns your hard disk into a paperweight, and
even reformatting the drive can't get all the boot sector virus types still in
the wild.
 Email viruses

8
Because the majority of viruses are spread via email in some form or
fashion, there really isn't a pure email virus limited to email transmission.
However, users forever fall into the trap of opening files attached to emails,
making this category a necessary one.
An executable file attached to an email wreaks havoc almost instantly after
someone clicks and opens it. You can yell all you want about not opening
attached files, but users often either forget the warnings or get fooled.
Miscreants are getting more adept at hiding their executable email
attachments. One of the early tricks was to show an extension on an
attached file that indicates a non-executable file, such as .txt or .doc, and
trusting that the user hadn't changed the Microsoft Windows default of
hiding extensions. A .txt file appears in the display, but when the user clicks
to open it, the real extension, .exe, kicks in and starts the devastation.
Today, virus attachments sometimes have a .vbs extension for Visual Basic
because many users don't recognize that extension. They also sometimes
have the obscure .shs extension, for Windows OLE (object linking and
embedding) scrap files. Some cleverly include an .lnk extension to trick the
user to click the link file and launch the .exe application described within.
Viruses are a tricky group of malicious software. There's more than one
way to contract a virus, and there's more than one way for a virus to make
your life miserable. However, viruses aren't the only threat out there. On
the next page, you'll learn about a type of malicious software called worms.
These nasty little bugs can quickly become major headaches, so keep
reading to learn more about how they work.
 Malware

9
It refers to any malicious, unexpected, or parasitic macros, code, or
applications. It is sometimes difficult to classify code as strictly a virus,
worm, or Trojan -- and it often doesn't matter which particular variety you're
dealing with. The term malware is therefore used as a generic term for any
malicious software.

 Worms: a self-replicating threat

Worms are a malware threat that can create havoc if given enough wiggle
room. Worm writers have become clever. The Bigtime Worm -- SoBig.f --
created internet chaos and spread worldwide in a few short minutes. It hit
the internet with the devastation of a category 5 hurricane slamming into
the coastline. And when something hits like a hurricane, firewalls and other
barriers quickly blow away. Worms are different from viruses because
worms are self-replicating, and they don't have to be attached to a
document or another file created by an outside user. Worms can send
themselves, quickly and quietly, to everyone in an email contact list.
As with viruses, internet email carries the freight for worms. In addition,
worms such as SoBig.f can work across Windows-based network shared
disk access and carry their own email-sending server software. Also like
viruses, worms take advantage of a built-in Microsoft feature: In this case,
they exploit the handy ability Microsoft gives developers to allow
applications to read and write a user's address book and launch new email
messages. Microsoft has addressed these issues in newer versions of its
applications, however, making the worm writer's job more difficult.
Original worms replicated themselves until the host system's memory or
hard disk space (or both) was filled with worm copies. Today, we can look

10
back at that type of worm with warm nostalgia. New worms are likely to
explode across the internet while disabling security programs in infected
systems.

 Good worms
Programs that coordinate large numbers of connected systems by putting
and getting data points for individual processing are, technically, worms. In
fact, interactive technologies such as IRC (Internet Relay Chat) could be
called worms in some odd definitions.
The first and therefore most famous good worm is the SETI (Search for
Extraterrestrial Intelligence) project. Millions of computer users, through the
SETI screensaver, agreed to let the SETI group parse radio antenna data
for intelligent signals. (Other groups are doing the same type of operation in
their quest for drug development and the like.) Each user agreed to make
his or her system a host for this worm, which comes and goes with data,
without interaction from the user. We call this version a good worm
because people agreed to host the application on their systems and allow
data collection and transmission automatically.
But many worms are not good and in fact can create havoc in a matter of
minutes. Oftentimes, worms overwhelm email servers and choke
bandwidth rather than trashing hard disks or corrupting files. Some worms
double the number of infected systems every minute (yes, every minute),
so a worm with a destructive payload could do great damage. When you
read headlines saying that major Fortune 500 companies are paralyzed
because a worm infestation clogged their email servers, it's not a stretch to

11
think that the next attack could format the majority of desktop-housed hard
disks.
However, viruses and worms aren't the only threats you need to worry
about. Another threat, called a Trojan, can be equally devastating. On the
next page, you'll learn more about what Trojans are and how they can
affect your computersand your network.
After fighting with the Trojans for years, the ancient Greeks built a giant
wooden horse and offered it to the Trojans as a peace offering. The
Trojans didn't know, however, that the Trojan Horse held hidden Greek
soldiers. The Trojans allowed the horse to be brought inside the fortified
city walls and began to celebrate. While the Trojans were sleeping off the
party, the Greek soldiers crawled out of the horse and captured the city.
Trojans that infect your computer work the same way as the Trojan Horse:
They sneak in and catch you unaware. By the time you know there's
something wrong, the damage is already done, and it's usually not
reversible.
 Trojan horse worms
A Trojan horse application actively emails copies of itself to addresses
found on infected computers. Often using the lure of an adult picture, a
Trojan becomes a virus in horse's clothing. Users may never get wise to
worms and viruses sending them malware from the infected computers of
their friends. Because Trojans can beat antivirus program checks while
masquerading as standard services, email attachments are assumed safe.
Trojans triggering DDoS attacks.
Some Trojan horse programs don't attempt any mischief until triggered to
launch DDoS attacks on specific targets. By launching these attacks from

12
thousands of computers on thousands of access points around the internet,
the attackers were more successful than they had been by using one or
two hidden sources for DDoS attacks. Trojan horse malware offers great
advantages to evildoers. The programs can be distributed in a number of
ways and can self-distribute via the worm modifications. As if viruses,
worms, and Trojans weren't enough, we also need to protect against
spyware, which is discussed next.
 Spyware: a quiet, dangerous threat
Like Trojan horse malware, spyware sends information out across the
internet to some other location. However, spyware monitors user activity on
the system, down to keystrokes typed, and then it sends this logged
information to the originator. If the originator is a hacker, passwords,
account numbers, and other secrets will be secrets no longer. Messages
sent from spyware often escape undetected by using standard email
processes. Users collect spyware from many places, especially websites.
Spyware often hides in shareware applications that perform otherwise
useful functions. Oftentimes, the originator of spyware is the company that
owns the computer and employs the user. Legally, the company has a right
to operate such software because everything the employee does as a
matter of employment belongs to the company.
Although a company can monitor employees in this manner, it's not a good
idea. When employees find out, they get angry. If the company monitors a
nonemployee, such as a salesperson logging in to his or her own website
for a price update, the company breaks the law by capturing that person's
password. Besides these types of issues, having legitimate spyware on
systems makes it difficult to find and expunge outside spyware. Spyware is

13
becoming an increasingly dangerous threat. It's quiet, it's hard to detect,
and the results can be devastating.

Understanding basic protections

With a thin client, all applications run on a server, If your company doesn't
have a firewall, or multiple firewalls, you're in trouble. If your company
doesn't search email attachments before they get to users, you're in
trouble. Because you're taking this class, you may already know you're in
trouble. Let's look at some of the basic things you must have to protect your
company.
 Implement firewalls
Notice that the heading is plural: You need multiple firewalls. Unless your
company exists completely within four walls as a single-location entity with
only one connection to the outside world, you need more than one firewall.
Do not let anything or anyone bypass your firewall, no matter how
trustworthy they swear they are. Nothing comes or goes from your
company except through a firewall.
 Scan email attachments
Much malware spreads via email attachments. Sometimes users can see
these attachments, and sometimes they're cleverly hidden. You can't trust
users to remember how to handle attachments. Your spam control software
should offer virus checking of email attachments. If it doesn't, you should
update your spam control software or buy separate attachment-scanning
tools. Stopping spam helps stop virus attacks as well. If you don't have any

14
type of spam control, you need to get some. Letting spam into your office
means trusting your users to properly handle attachments and messages
that have exploits hidden inside them. These are just the basics of security,
but there's much more. No single protection technology can keep your
organization safe. Instead, you need to have layers of security, each more
difficult to bypass than the previous. On the next page, you'll learn about
layering your security efforts.
 Secure firewalls
Early firewalls blocked most port numbers against outsiders and did little
else.The world of firewalls has grown, matured, and grown some more.
Firewalls today deserve their reputation as the first, and perhaps strongest,
line of defense against malware. Early on, firewalls never checked the
content going through them. As long as incoming packets matched
requests, such as a web server response to a client request, and email
came with a proper address, the firewall let the packet through. Today, with
advanced firewall filtering and security functions, you can keep up to 90
percent of malware outside your network. Imagine that number again: You
can eliminate 9 out of 10 problems by implementing a strong firewall with
the proper configuration.
 Implementing antispoofing
Spoofing occurs when an outsider modifies a packet header to make it
appear as though the packet really came from inside the network. This can
fool a firewall because the IP address has security clearance properties
that allow it inside the network. You need to turn on antispoofing in your
firewalls.
 Clean up

15
You need to apply patches to your virus software, server software, and
desktop software. Major vendors normally issue patches after a major
outbreak just for this reason. You should also find and restore any
damaged files and go through affected servers, especially email servers,
and verify that email boxes and history files remain intact. Debrief the team
and affected users Team members and power users can help you decipher
what really happened and, possibly, why. You should discuss steps taken
during the attack and rationally decide which steps helped and which hurt.
Then you should do the same for your managers if they're not in the room.

Security tools and techniques

Protection products provide important tools to keep your computers free of
security threats. But new types of malware arrive every day, so it's
important to have the right products and keep them up to date.
 Selecting antivirus protection
Antivirus software -- software that scans your computer, searching for
telltale signs that a virus has either infiltrated your machine or is trying to
infiltrate your machine -- is no longer just an option. Today, with the
exponential growth of threats from viruses, it's a requirement. There are
dozens of great antivirus programs on the market to choose from (and
hundreds more that are so-so). So how do you know which antivirus
program is right for you? There really is no easy answer to this question
because each organization has different needs. One important
consideration is how much your organization wants to spend. An
organization may not care about the cost of antivirus software but want the
16
program to protect every file during every movement. For a situation like
this, several antivirus programs work well, including those from McAfee and
Norton. However, those programs can be very expensive when you begin
installing them on a corporate level.
McAfee offers complete protection packages for SMBs.
On the other hand, some organizations don't have the capital to sink into
that type of protection, but they still want to be very well protected by their
antivirus program. For such situations, an organization can turn to one of
the host of free services that do a decent job of protecting all the computers
on a network. If you choose to go the free route, you could potentially not
have all the protection you need. A much better option is to choose one of
the well-known antivirus programs and add to it services that you can
afford. For example, with Norton AntiVirus, you can have just the basic
antivirus scanning, or you can add everything from a firewall to spyware
protection. You can start by adding the elements you can afford, and later,
as more capital becomes available, you add additional services.
 Update your software
An important issue with antivirus software is its timeliness. Viruses change
daily. The big virus that everyone is fighting today will be a memory
tomorrow, when it's replaced by something different. If you don't have a
regular update service on your antivirus software, you may be protected
today, but tomorrow you could be hit by the mother of all viruses.
All antivirus programs offer update packages. However, not all update
packages are created equally. Some programs are updated on a fee basis
so that the more you pay, the more frequently the antivirus definitions are
updated. Other programs offer hourly, daily, or weekly updates. Which

17
scenario is right for you depends on your business needs. If you have
heavy internet or email traffic, you may prefer to have hourly or daily
updates, but if the traffic outside your network isn't that high, you might be
able to wait for weekly updates.

 Try before you buy

Each antivirus program is different. If you perform an internet search for
antivirus, you'll find a plethora of available programs. It's a great idea to
take the time to go through the trial period with each antivirus program you
think might meet your needs. This trial will let you see how easily the
antivirus program integrates into your existing security structure as well as
how difficult or easy it is to use. When you've completed the trial period for
several products, you can make a final decision.
You need to take some time to find the antivirus program that works best
for your organization. After you've found the right one, you should consider
looking at other virus and malware protection technologies, such as
scanning technologies that are more advanced than those included with
most antivirus programs.
 Exploring scanning technologies
Two common scanning techniques are the old standby signature scanning
and the newer, more effective behavior-based virus detection. Signature-
scanning techniques look for snippets or patterns of programming code that
are unique to viruses and other malware. Behavior-based scanning works a
little differently. Instead of looking for a design element such as code,
behaviorbased scanning looks at the way certain executable files make
your computer behave. So, for example, if you install a small piece of code

18
that doesn't contain a known signature, but it suddenly causes your email
program to begin sending out thousands of emails, the behavior-based
scanning tool will locate the problem more quickly than a signature-based
scan might.

 Scan for signatures

Early virus detection programs scanned files to find thousands of virus
signatures used by viruses. Almost every program, virus or not, has some
identifiable text inside its code. Searching for one of those known virus
signatures was the method of choice in the early days of virus fighting.
Such technology can still be used to detect simple viruses written using
commonly available virus creation tools. Each virus creation application
inserts known text into a virus; scanning software can find that code by
comparing the contents of files against a known database of virus
signatures. Weaknesses in the signature-scanning method abound,
however. First, with new viruses, no history is available, so it's difficult to
know which code snippets to look for and gather. Second, even when a
new virus code signature is found, there's no guarantee that the users have
updated their signature files to include the new information. Polymorphic
viruses, mutate their signature files to avoid such filtering tools.
Unlike with signature scanning, with behavior-based tools there's no
smoking gun to identify a virus as a known piece of malware. Heuristic
scanning has the following advantages: It catches viruses before they're
added to signature files. It can watch for malware activities such as
replication. Heuristics scanners learn about viruses as they see more
examples of them. Of course, heuristic scanners have some shortcomings.

19
Compared to signature-scanning tools, they have the following
disadvantages: They trigger more false alarms. They're more expensive.
They require more system processing power. They're slower when
checking large numbers of files. No program can yet emulate the
knowledge and experience of a well-trained virus detective. Scanners can
only identify code they think will cause some problem, such as file access
routines or code to create new files. Each instruction examined gets filed
into a "possible virus code" or "innocent code" bucket. When the scanning
finishes, the bucket with the most entries wins and makes the final
recommendation.
A scanner application must decide whether file access or file creation is a
result of virus activity or general application functions. Suspect behavior
and unknown code sequences trigger alarms in heuristic scanners. Some
of these suspect files turn out to be innocent, of course, and cause false
alarms. False alarms aren't good, but they're better than virus infections. In
many ways, heuristic scanners follow the patterns of artificial intelligence
software. They show great promise, but the reality has yet to catch up, and
the programs are complex. Heuristic scanners improve with time and with
each new code iteration. Most vendors offer configuration choices so you
can adjust your alarm threshold when necessary, dialing back the
sensitivity when you receive too many false alarms.
 Staying up to date
Scanning applications using signature scanning must include newly
discovered virus patterns; therefore, you must keep those up to date.
Heuristic-scanning tools gradually improve their capabilities for determining
the difference between unseen code and potentially harmful virus code.

20
Therefore, you must keep those programs up to date as well. Viruses
change, as do antivirus measures, no matter whether they use signature
scanning or heuristics. Try to get volume discounts with vendors that offer
both virus and spam heuristics tools. In this way, you can leverage
advances in heuristic scanning for both areas. Stopping spam also stops
some viruses, so getting a volume discount by combining protection
purposes makes sense. Remember that heuristic scanners catch unknown
virus signatures, protecting you against new viruses as they appear in the
wild. After they've been in the wild for a few weeks, your signature-
scanning software database includes those new signatures. Lag times
between identification via heuristic means, verification by antivirus vendors,
and signature database updates shrink each month. So updating your
signature file today may well protect you against the virus launched just last
month and reaching your network tomorrow. You have antivirus software
protecting you, a firewall in place, and antispyware technologies working
overtime, so you're well protected, right? You may be, but even the most
protected computer networks in the world fall victim to human error from
time to time. Therefore, adding a layer of security at the email server level
is essential, not optional.
 Protecting email servers and notebook computers
Many different types of programs are available to help protect email
servers, including antivirus programs that include additional modules,
firewalls, and other elements to help ensure that you're protected. If you
use these programs, you don't waste program resources by trying to keep
dozens of machines, or even your whole network, safe. It's to your
advantage to develop close relationships with your vendors to help ensure

21
your systems are protected and up to date. You shouldn't be afraid to lean
on your vendors to do their job. You need to get your information and
patches as regularly as possible. Once or twice a month is a patch. Once a
quarter or longer is an upgrade, and chances are, the vendor will try to
charge you for an upgrade. You need to get a vendor's updates as often as
possible, and you shouldn't pay a vendor to fix its company's own
problems. Holes in operating systems get the biggest spotlight, but holes
can exist in applications as well (for example, Microsoft Word and Excel
macro viruses). You shouldn't limit your security planning to just operating
systems. It's important to become very friendly with your Microsoft supplier.
If your company is big enough to buy directly from Microsoft, you might
have an in to the proper level of technical support to get updated virus
information. If your company is big enough to buy directly but not big
enough to get any real attention from the Microsoft support team, you
should make some contacts with local resellers and consultants. Third-
party groups can often fill in the Microsoft gaps.
Similarly, befriending other application vendors can work in your favor. If
you deal directly with a vendor, you should make contacts within that
company's technical support group. If you buy some applications through
resellers, it's a good idea to contact a reseller's technical support group
before you need help. Every bit of preparation you can do may help reduce
the duration of your emergency situation and clear up an infestation sooner
rather than later.
 Plan your backup strategy
At some point, files will be trashed, systems will be trashed, and restoration
will become a priority. If infection spreads far and wide, you may find

22
yourself in disaster-recovery mode, which isn't a pleasant experience. Are
you ready? Is your backup and restoration plan ready? Your backup
hierarchy should be able to handle re-creating servers and desktops. With
luck and quick action, you may only have to replace some operating
system files on a few computers. On the other hand, you may have to
completely rebuild servers to rid them of a pernicious virus. To reach far
enough into the past to avoid reinfecting your systems with a dormant form
of a virus, you need backups from multiple dates. For operating system file
restorations, you should reach as far back as possible. The first backup
after operating system installation or after the last service patch upgrade is
your best bet. For applications, the first backup after verification of proper
working order is a good one. When restoring after a virus attack, you need
to consider your data. Even though data files, other than Microsoft Word
and Excel, rarely get infected, you should still scan all data files for viruses
and match your data to the application patch level. Making backups for
your routers, switches, and network servers is critical. These systems can
be destroyed during firewall probing and hacking, and you need them to be
ready before you go back online. In addition to enlisting the support of
vendors, getting training, and creating a backup and restoration plan,
another important part of proactive protection is forming an action team,
which is discussed on the next page.
 Assign responsibilities
In a malware crisis, dividing the jobs and conquering the virus should be
your goal. Every infection requires work on multiple fronts. You therefore
need to select team members to cover each technical issue you're likely to
face, along with overlap to help or cover other areas, as needed. Figure 4-1

23
shows an example of a malware team structure. Figure 4-1: Every level of
the malware crisis team requires a manager or leader role.
Someone from the malware action team should be involved with your
corporate efforts to block and control spam. Malware uses spam as a major
transmission media, so your team must be up to date on spam control
technology in general and your company's efforts in particular. Outbreaks
often create outgoing spam by grabbing addresses and spreading via
email, so your spam control system may have to turn inward to block
outgoing traffic as well. A member of the action team should also be
involved with your backup procedures and plans for disaster recovery. Files
need to be restored, ranging from a few infected DLL files to complete
operating systems. Late at night during a crisis is no time to start learning
the tape storage nomenclature for restoring files. At least one member of
the action team needs to know the details of all backup and restoration
procedures and systems.
Someone from the action team should have a library of rescue disks
created and ready for use. Every operating system that clients, servers,
and support systems use should have a rescue disk ready to go. Copies of
the full operating systems for rebuilding systems are necessary as well, but
the rescue disks come into play first. You must have a way to boot a
system from a clean CDROM and start virus-cleaning operations. Having a
rescue disk for each operating system is one good option. Having a generic
boot, clean, and restoration disk for recovery situations is handy as well.
After a system is booted cleanly, virus tools can be put to work.
A member of the action team should be responsible for personal support,
including food and drink, during the emergency. Disaster planners
sometimes go so far as to buy military MRE (meals ready to eat) packets,
24
but that nourishment (hard to call it food) passes inspection only when
there's a general disaster in the area. For a virus attack on your network,
local pizza parlors and sandwich shops will still be open for business.
Someone must plan ahead and build procedures for ordering and
delivering food and drink during your virus exorcism. Yes, you can fight
viruses without a pizza coordinator, but feeding your crew will keep them
working longer and happier. Candy bars from the vending machines only
go so far, and some real sustenance becomes important by the 20th hour
working to recover. Even well-prepared organizations can be blind-sided by
malware.
 Reacting to security problems
Despite all your well-laid plans, at some point, your company will have a
problem. Just as you can't close every hole in your building against mice,
ants, and cockroaches, you can't close every hole in your network against
worms, viruses, and Trojans. It isn't a question of if, but when, so you
shouldn't feel guilty, but you should get ready. Know when to sound the
alarm Every alarm system, including those on your network, includes a
threshold. You should set your network's alarms to allow a few anomalies
now and then to prevent unnecessary panic. Many odd application and
operating system occurrences look like viruses at times but aren't. You
must decide when an anomaly gets listed as a virus.
It's important that you keep your finger on the pulse of your network and
notice how many odd things happen regularly. You can check help desk
logs to learn the normal noise level of virus-like activity. When you know
the regular flow of mishaps, you can tell when a mishap really deserves to
be called out of the ordinary and worthy of a serious reaction.

25
Track what's normal so you know what's not. When you experience
anomalies, you should check known operating system and application
FAQs (frequently asked questions) and also watch whether
As with other technology problems, it's important to know what's changed.
You need to verify that nothing has changed in any of the following:
 Operating system levels
 Patch levels
 New network devices
 Application upgrades
 New monitoring software
 New applications
 Directory structure

Any changes in these areas can create situations that look like virus
attacks. Can't find a server? Maybe a virus clobbered your drivers. Or
maybe a new DHCP (Dynamic Host Configuration Protocol) server isn't
supplying the right name server IP address, leaving a few clients blind as
they wander around the network. In most situations, thankfully, external
breakouts elsewhere on the internet reach you by news before an infected
message gets through your defenses. When you can see the storm coming
over the horizon, you can make a determination about whether it's hit you
by looking for the expected signs of infection inside your network.
With internal malware problems, you get no warning. With problems that
don't respond to normal troubleshooting processes and that start to multiply
and spread across the network, you may need to sound the alarm. You
should structure your responses so that you can call a halt to a virus

26
response if you find out it's a false alarm. Just like a fire truck sometimes
goes out but does not unroll the hoses and spray water, your team should
be able to stop before going into full-fledged crisis mode.

 Unleash the malware action team

Management must be involved in the call to pull the malware action team
into play. The team must have a clear mandate from management to start
to work because the team's activities will be disruptive to many employees.
Any time your network will be out of action for a time, you need
management approval. You should work with your management liaison to
determine when a problem has spread enough to warrant calling the
malware action team. You should show your management champion
evidence of serious infection by comparing the current situation to normal
network activity. You're asking this executive to make a serious decision to
commit plenty of company resources in a highly visible situation.
Many executives work hard to hide from tough decisions, so you need to
train your executive proactively so you can get approval to start working
before a problem spreads too far. How will you give out the call to put the
malware action team into play? Email probably won't be the best choice
because email systems are targets for viruses, and delivery can become
unreliable. Phones will still work, and pagers will work if you don't rely on
computer-based signaling systems or need a particular computer to send
messages. Wireless connection quality will depend on what type of virus
attack is under way and whether the wireless network components are
involved. Having one method of calling the team isn't enough. You need to

27
ensure that you have at least two contact methods for every action team
member.
 Clean up and debrief
When a malware episode ends, your job continues. Someone must assess
what happened and why it happened and must clean up the remaining
damage. Before you dive into all that, however, you should rest for a day.
The action team needs its own restoration and a chance to recover from
the mental and physical exertion of reacting to the emergency. Tired teams
do lousy work, but rested teams have a chance to mentally sift through the
actions taken during the process. A period of reflection allows ideas to
bubble up and puts the mess into perspective. A full investigation --
tracking the who, what, where, when, and why of the episode -- must be
your first order of business when you reconvene the team.
Sometimes, an attack comes from a direction no one had ever considered,
and no one can be blamed for the mess. More often, however, some level
of human error caused the problem. In such a situation, you may know who
to blame, and you might want to hang the offending person in the public
square to make an example for the others. You shouldn't do that, even
though you think it might make you feel better. Placing blame will get you
nowhere, but doing a full investigation and recommending security
improvements can help you avoid a similar situation in the future.
After the team has gathered, discussed, and prioritized improvements, it
needs to implement them. Good ideas on paper don't protect systems from
viruses; good ideas put to work on your network do. After a crisis, you need
to amend your proactive virus protection activities. You need to patch new
holes and then watch them. You also need to manage new vendors to

28
improve their patch delivery. Finally, you must retrain new users (and
retrain them again, if necessary) to prevent future mistakes. If your action
team and accompanying plan don't get larger with each episode, something
is not right. However, at some point, you may get everything automated to
the point where you're sliding down the backside of the learning curve and
have your network protected as well as possible.
You've proactively planned for every possible malware attack, and you've
implemented all the protection techniques you can. But you're still at the
mercy of a dangerous security threat: the humans who use your network.

 Understanding the human element

The old joke saying "user is a four letter word" exemplifies the situation
between security administrators and normal users. On one hand, a network
exists to serve the connected users, not vice versa. Without users, there's
no reason for a network. On the other hand, user actions cause more
anguish to IT support people than almost anything else. Users may not
care about directory services, RAID (redundant array of inexpensive disks)
level 5, or blocking firewall ports used by IM (instant messaging), but they
do care about their files. And they know that viruses can cause their hard
disks to melt into molten aluminum, drip out of their computer cases, and
pool on the floor. Or at least they know that virus infections can cause their
computers to act even stranger than normal.
 Virus protection training and reminders
Every training opportunity needs to include a reminder about virus
protection processes. During company operating system or new application
training, you should distribute your organization's official virus protection

29
guidelines. You can also add a virus reminder page to a vendor training
packet and put virus warnings and security steps on the company's
intranet. You should take advantage of many opportunities to get your
messages across. If possible, you should schedule special security and
virus protection classes for every employee. If you can't cover everyone,
you should create a half-day training class for all department managers and
power users. The more they know, the more they can help teach their
users and coworkers.

List of Top 10 Antivirus of 2011

1. Bit Defender Antivirus 2011

2. Norton Antivirus 2011
3. F-Secure Antivirus 2011
4. ESET NOD32 Antivirus 4
5. Kaspersky Antivirus 2011
6. TrendMicro Antivirus 2011
7. Panda Antivirus 2011
8. AVG Antivirus 2011
9. ZoneAlarm Antivirus 2011
10. G Data Antivirus 2011

30